Mandatory CND disclosure to ISPs will not prevent spam
Last Updated: 28 November 2002
Australian Internet users' privacy is under threat (and in some cases is already being infringed) from a proposal by some Internet Service Providers ("ISPs") and the National Office for the Information Economy ("NOIE") to require telephone companies to automatically transmit Internet users' telephone numbers (CND / Calling Line ID information) to ISPs each time a user connects to the Internet, regardless of the user's privacy preferences.
This paper explains why the proposal will not prevent spam. It is an extraordinarily privacy invasive idea for dealing with the spam problem - a problem that could be significantly reduced by far more effective, non privacy invasive, means.
- The Proposal
- Background Information
- How could mandatory CND reduce spam?
- Why is mandatory CND ineffective in reducing spam?
- Would mandatory CND enable tracking down and prosecution of spammers?
- Threat to Privacy and Anonymity
- Stopping Spam
- Related Resources
Some ISPs and NOIE have proposed, as a claimed means of reducing spam, that telephone companies be required to transmit Internet users' telephone numbers (CND information) to ISPs each time they connect to the Internet, even if the caller has explicitly chosen to keep their telephone number private.
The advocates of the proposal want to remove the right that Internet users currently have under Australian law to protect their privacy by blocking the transmission of their telephone number.
The privacy wishes of any dial-up Internet user would be over-ridden by their telephone service provider (e.g. Telstra, Optus, etc.) regardless of whether the Internet user is a spammer or even a likely spammer. In addition, families and residents of other shared premises who have a silent (unlisted) telephone number, or who have specifically instructed their telephone company not to send CND information with calls from their phone, would have their telephone number disclosed when anyone uses their telephone line to connect to the Internet.
According to newspaper reports, the principal advocate of this largely ineffective, and highly privacy invasive, idea is Justin Milne, the CEO of OzEmail ISP [until October 2002] and Chair of the Internet Industry Association (IIA). OzEmail has long been widely criticised for allowing spammers to use its mail servers. As a result, other ISPs have from time to time blocked all email from OzEmail mail servers. Eventually, in June 2002, OzEmail announced "Spammers tend to use pre-paid accounts to send their junk email, so we have re-engineered our pre-paid products to make spamming very difficult - if not impossible". Apparently OzEmail were able to do that without CND information.
The mandatory CND idea has found its way into the Spam Review Interim Report: The Spam Problem and How it Can be Countered issued by the National Office for the Information Economy (NOIE) on 1 August 2002. Recommendation 3 of the Report states:
"3. ISPs should be assisted to reduce the capacity for spammers to utilise anonymous accounts, through the appropriate implementation of technologies such as Caller Line Identification (CLI) and encouraged to establish identification requirements for prepaid accounts. However, such measures should only be developed if privacy protection levels are maintained or improved."
However, the NOIE report contains no information about why NOIE recommended CND (aka CLI) as a means of reducing spam nor how it could do so.
The proposal is an extraordinarily privacy invasive idea for dealing with the spam problem - a problem that could be significantly reduced by far more effective, non privacy invasive, means.
In order to understand why the proposal is an ineffective means of preventing spam, it is necessary to know what CND is, and what spam is and about the various methods spammers use to send spam. An overview of these matters is provided below, followed by information about the miniscule effectiveness of, and problems with, the proposal.
Calling Number Display
Calling Number Display ("CND") is a service provided by telecommunications providers that automatically displays or presents a caller's telephone number to the recipient of the call.
CND does not identify the caller, it only discloses the number from which a person is calling. However, disclosure of telephone numbers without the consent of the caller presents serious risks to individual's privacy and for this reason when CND was introduced in Australia in 1997 it was on the condition that telephone companies must enable and allow callers to block transmission of their telephone number and at no cost to the caller.
ISPs who propose mandatory CND want to remove the existing right of Australians who are Internet users to choose to block CND. This would result in Internet users being treated as second class citizens, that is, to have less privacy rights than Australians who do not use the Internet. As at May 2002, 30% of calls made by Internet users have CND blocked, according to Justin Milne, Chairman of the Internet Industry Association and CEO of OzEmail.
For more detailed information, see EFA's page: Calling Number Display.
Spam is the bulk emailing of messages to a large number of recipients where some or all of those recipients have not explicitly and knowingly requested those messages. It is a widespread problem on the Internet as the costs of delivery are minimal for the sender but instead are borne by the recipient.
Another name for spam is UBE or Unsolicited Bulk Email. This implies a lot of email is being sent, but quite often people do not realise the numbers involved. Generally, spammers will be sending email across many dial-up lines at the same time and they will be using the full capacity of those lines for a long time. This means they are sending 10s of emails a second, all the time. The amount of emails in total is also extreme, sometimes around 100,000 emails from one source.
How spam is sent
For spam to be able to be sent, the person sending it needs a connection to the Internet. This may be a permanent connection (which is usually high-capacity, and high-priced), or a dial-up connection using a modem and a standard telephone line.
- Prepaid dial-up accounts:
The spammer will acquire a set of pre-paid dial-up accounts. They then use the accounts to send email via the dial-up connection continuously using purpose-built spam sending software until they have sent all their emails or they are found and their accounts terminated by the ISP. They then start sending spam again with a different set of accounts.
The CND proposal addresses only this method of sending spam and would have only a miniscule effect, if any, on the amount of spam received by Australian Internet users. There are other more effective, less privacy invasive, methods of stopping spam from being sent using prepaid accounts.
- Open Email Relays:
Another way that spammers send spam is by directly connecting their computer to a remote email server called an open relay. An open relay is a mail server that allows anyone, anywhere in the world, to send mail through it. For example, an open relay made available by an Australian ISP can be used by a spammer in say Korea to send spam to people in Europe (and anywhere else including Australia). Mail servers can be configured so that they only allow the server to be used for mail that is going to or coming from the mailboxes it services (e.g. the ISP's customers or the company's employees). An open relay owner has no relationship to the spammer at all and is quite unaware of the spammer using their mail server until someone who receives the spam complains to them.
The CND proposal would not have any effect on the problem of spam being sent through open relays. Moreover, ISPs do not need CND information to configure their mail servers so that they are not open relays.
How could mandatory CND reduce spam?
Currently, when an ISP finds one of their customers sending spam through their network, they can cancel that customer's account, record the customer's name, credit card number, etc. and refuse to allow that person to open another account. Many ISPs already do this and they do not need CND information to do so because they know who the customer is.
However some Australian ISPs, for example OzEmail, choose to sell anonymous prepaid accounts. Although an ISP can cancel an anonymous prepaid account that is being used by a spammer, the same spammer can immediately start using a different prepaid account and the ISP does not know it is the same spammer. For example, the same spammer could use an account name of 'johnsmith' the first time and 'janedoe' the second.
The mandatory CND proposal aims to enable ISPs to use calling telephone numbers to match the first account to the second and subsequent account, that is, to assume that 'johnsmith' and 'janedoe' are the same person because they use the same phone number. Apparently, all accounts would be linked to the phone number or set of phone numbers that a customer uses to log in to the ISP's network. Then, when an Internet access account is found to be spamming, the ISP could look up the telephone number/s used by that account and then blacklist the telephone number/s so that any future attempts (by anyone) to send email (including email that is not spam) from an account/Internet connection using a blacklisted telephone number would be blocked by the ISP.
Why is mandatory CND ineffective in reducing spam?
Mandatory CND disclosure is a largely ineffective means of minimising spam because it addresses only the relatively small (in the global context) spam problem arising from spammers who purchase anonymous prepaid dial-up accounts from Australian ISPs who choose to sell same. Furthermore the extent, if any, to which it would reduce spam is dependent on the spam-prevention efforts of those particular Australian ISPs.
Spammers could still send thousands of spam emails from a prepaid (or any) account
Unless an ISP has an automatic rate limit (or other rate checking system) set up on their mail server, the first time a spammer uses a particular telephone number to connect to the Internet and send spam, the ISP will be unaware that spam is being sent through their mail server until a recipient of the spam complains to the ISP about it. In the meantime, a spammer can successfully send thousands of spam emails. The mandatory CND proposal would make no difference to the number of spam emails that can be sent using a particular telephone number for the first time.
When an ISP has an automated email rate limit (i.e. a limit on the number of emails that can be sent from an account in a specified period of time) set up on their mail server, the spammer can be blocked the first time (and also subsequent times) they send spam using the ISP's system, regardless of the phone number they use to connect to the ISP's system. ISPs can (and some do) configure their mail server to automatically block attempts to send email from an account that has exceeded their rate limit.
The mandatory CND proposal only addresses the problem of a prepaid dial-up account being used to send a great deal of email. It is the combination of these two things (prepaid account with large amount of email sent) that are the hallmarks of a spammer. These hallmarks are easily detectable, right now, without CND.
It is unlikely that a rate limit would inconvenience anyone who is using a prepaid account to send legitimate emails because, apart from use by spammers, prepaid accounts are normally used by individuals who send a small number of emails at any one time and therefore would not be affected by a rate limit - companies/organisations that send a lot of legitimate emails are unlikely to be using a small prepaid dial-up account.
On 13 June 2002, OzEmail announced "Spammers tend to use pre-paid accounts to send their junk email, so we have re-engineered our pre-paid products to make spamming very difficult - if not impossible". Apparently this included a rate limit on email sent from OzEmail's pre-paid accounts. Nevertheless, OzEmail's CEO was still apparently claiming on 25 June 2002 that all Internet users' privacy should be invaded by mandatory CND presentation because prepaid anonymous accounts are used by spammers.
Nothing stopping overseas spam
There is nothing in the mandatory CND proposal that can possibly make any difference to the amount of spam that comes from overseas.
While there is a significant amount of spam sent from Australia, there is far more that originates from outside Australia. Over 80% of spam received in Australia originates overseas, according to a survey of ISPs conducted by ACNielson.consult for NOIE in 2002. Similarly, CAUBE estimates that Australia accounts for only about 16% of all spam sent globally.
In other words, even if the mandatory CND proposal is implemented in full, it would have no effect on the approx. 80% of spam that comes from overseas.
CND not available in all places
A great majority of callers are connected to telephone exchanges that have CND enabled. However there are places where CND is not available. These are not just remote locations but even some exchanges within the Sydney area do not present CND.
ISPs would have to configure their systems to allow calls from these areas without CND. Spammers will find out where these locations are and dial-up from there.
Shared Telephone Lines
Many individuals share a telephone line with other people, e.g. people who share a flat/house, families, individuals who log in to their personal account from their workplace telephone line, etc. If an ISPs blacklists a telephone number that has been used to connect to their service and send spam, then other people who use that phone number and have a separate account with the same ISP will not be able to send email either.
Will ISPs prevent everyone who uses the shared telephone line from sending email? Unless they do so, the spammer will be able to send more spam, for example, by purchasing another anonymous prepaid account and using the same phone number.
Would mandatory CND enable tracking down and prosecution of spammers?
Many Australian ISPs already know the names and addresses of some major Australian-based spammers. If these spammers' activities infringe Australian law, ISPs could already ask law enforcement agencies to take action against those spammers. Apparently no such action has been taken. This is probably because, broadly speaking, it is not illegal under Australian laws to send spam.
While some Australian laws are applicable to the sending of some types of spam, the range of spam covered is very narrow. The laws do not apply to the vast majority of spam because the Australian Government has specifically chosen not to enact such laws and instead to enact laws, such as the amendments to the Commonwealth Privacy Act (effective December 2001) that contain specific exemptions for direct marketers and spammers.
In addition, even if the mandatory CND proposal was implemented, and it was illegal to send the spam, CND information would only provide the telephone number a spammer used to log in to the ISP's system. It does not identify the person who was using the telephone line at the time. It is doubtful that CND information would provide the standard of proof necessary for a successful criminal prosecution. Among other things, telephone lines can be tapped into and used by criminals who have no association with the owner or normal users of the telephone service.
Threat to Privacy and Anonymity
General information regarding the risks to privacy posed by CND is available on EFA's main page about CND.
The mandatory CND disclosure proposal, if implemented, would infringe individuals' privacy for the alleged purpose of preventing spammers from invading their privacy. Provision of CND information to ISPs without the specific consent of the caller would facilitate ISPs' use (and/or their staff members' use) of this information for privacy invasive purposes unrelated to reducing spam. Internet users should not be required to provide personal information such as their calling number to ISPs simply because some ISPs claim it is necessary to reduce spam. As discussed herein, there are far more effective, non privacy invasive, means of reducing spam.
The NOIE Spam Review Interim Report (1 Aug 2002) states that several draft recommendations are reliant on "reducing the ability of individuals to obtain access to the Internet anonymously" and that "This would require: ... consideration of the implication for NPP 8 ('Anonymity Principle')" contained in the Commonwealth Privacy Act.
As discussed above, "reducing the ability of individuals to obtain access to the Internet anonymously" would have miniscule affect on the amount of spam received by Australian Internet users. ISPs are already able to use technical means to significantly restrict the amount of spam that can be sent from an anonymous account.
Even if there was no other means to reduce spam sent from anonymous prepaid accounts, there is no need to require or even "encourage" ISPs to require all their customers to provide their calling telephone number. Most Internet users are not spammers and do not use anonymous accounts.
Moreover, it is not necessary for spammers to use anonymous accounts. There is at least one very well known West Australian based business that has been spamming for several years. While the business apparently sometimes uses anonymous accounts, the content of their spam identifies them in any case. It appears unlikely that this type of spammer will be stopped until there is legislation prohibiting their spamming activities, because some ISPs are apparently willing to have them as paying customers and existing Australian privacy legislation contains exemptions for spammers and direct marketers.
EFA considers reducing the ability of individuals to obtain access to the Internet anonymously would infringe NPP 8 of the Privacy Act and would not result in a reduction in spam. Spammers will simply use methods other than anonymous pre-paid accounts provided by Australian ISPs to send spam. Removal of exemptions and loopholes used by Australian spammers from existing Australian privacy legislation would be more effective in reducing spam than would infringing Internet users' privacy by requiring mandatory disclosure of CND information.
ISPs can reduce spam being sent through their network, if they want to
ISPs can also do a lot technically to either reduce or eliminate spam originating on, or being sent through, their network. For example, as outlined above, implementation of an automated rate limit on email sent from anonymous prepaid accounts is far more effective than the mandatory CND proposal.
Quite often ISPs fail to do even basic protection work on their networks, for example ensuring their mail servers are not open relays, or do not have adequate complaint handling procedures and ignore the danger signs that someone is misusing their network. This sort of protection work should be undertaken and would have a large impact on spam originating from an ISPs network. Long-standing best practice principles are not being followed.
Many ISPs have implemented best practice principles and have thereby made it hard for spammers to use their network. However, spammers work out which ISPs either don't care about spam or have weaknesses in their network security and use those ISPs exclusively. Mandatory CND would not make any difference to the ease with which spammers can use such ISPs' systems.
ISPs can provide spam minimisation options to customers, if they want to
In addition to undertaking technical protection work to prevent spam originating from their own network, ISPs can also offer their customers options to minimise spam received from other ISPs' networks in Australia and overseas. As detailed above, the mandatory CND proposal would have little, if any, effect on spam originating in Australia and no effect at all on the approx. 80% of spam that originates outside Australia.
For example, reportedly, quite a number of Australian ISPs have installed spam filtering software, such as SpamAssassin, and made use of such a filtering facility available to their customers on an optional basis. The automated technical manner in which all filtering software work results in spam filtering software identifying some messages as spam that should not be, and failure to identify some messages that are spam. However, when used voluntarily by an Internet user, and depending on how their ISP installs, configures and makes available such spam filtering software, such an option can make it significantly less time consuming for Internet users to distinguish between messages that are, and are not, spam and/or to choose to have messages identified as spam sent to a separate email box, or not be received at all.
Spam filtering software is not a solution to the spam problem. There is far too high a risk of legitimate email being incorrectly caught and the cost of receiving the spam is borne by recipients and/or their ISPs. However spam filters are of more use in dealing with the problem of the approx. 80% spam being received from overseas than is the mandatory CND proposal.
According to the NOIE report dated 16 July 2002, "the recent ACNielsen.consult survey of Australian ISPs found that, of the five largest ISPs, only one filtered for spam before their mail servers forwarded mail to customers. One of the remaining four said it is active in encouraging its customers to employ filter products (provided through the ISP at a discounted price). Of the other smaller Australian ISPs, most employed filters before forwarding mail, but many did not filter for all spam".
It appears, from OzEmail's newsletter of 13 June 2002, that OzEmail has no intention of providing a spam filtering option to customers that operates before email is forwarded to customers. The newsletter stated: "OzEmail is on the lookout for a desktop anti-spam solution for you".
Necessary Amendments to the Privacy Act 1988 (C'th)
EFA considers the Privacy Act 1988 (C'th) should be amended as a matter of urgency to remove the existing exemptions and loopholes (intended or otherwise) that permit spammers and direct marketers to collect and use individuals' personal information (such as their email address) for the purpose of sending them unsolicited information without the explicit prior consent of the individual. EFA raised this issue in two submissions (1, 2) to the two Parliamentary inquiries into the provisions of the Privacy Amendment (Private Sector) Bill 2000 and warned that the provisions would have the effect of legitimising spam.
Provisions of the Act that need to be changed include those concerning "primary purpose" of collection of personal information, the specific exemption for direct marketing, and the small business exemption. For additional information, see the Office of the Federal Privacy Commissioner's submission to NOIE. Although the OFPC submission raises the issue of whether or not some types of email addresses would fall within the definition of "personal information" in the Privacy Act, any arguable greyness of this aspect could be easily dealt with by amending the definition to clearly include any email address. Any email address is very likely to be able to be used to identify the individual who is the recipient of email to that address whether or not their "real" name is obvious to everyone by merely looking at the email address. EFA considers that any individual who chooses to use a pseudonym as their email address should be entitled to the same privacy protections in relation to collection and use of personal information about them - whether or not their pseudonym immediately and obviously identifies them to everyone else.
Forcing Australian Internet users to present their CND information regardless of their privacy choices is an (ineffective) overkill. The mandatory CND disclosure proposal seeks to infringe individuals' privacy for the alleged purpose of preventing spammers from invading their privacy, although it would be of miniscule, if any, effectiveness. Moreover, ISPs can implement far more effective, non privacy invasive, means of reducing spam.
Mandatory presentation of CND information is only being proposed because some ISPs choose to sell anonymous prepaid accounts and/or have not implemented basic technical protections to reduce or eliminate spam originating on, or being sent through, their network.
The proposal seeks to 'trade' ISP operational convenience (technical and paperwork) for the privacy of the public. It seeks to enable some ISPs to claim that they have "done something" to reduce spam without using an effective method.
Many Internet users (just like users of telephone lines for voice calls) have legitimate reasons for not wanting to disclose the telephone number they are dialling from that have nothing whatsoever to do with sending spam or engaging in an illegal activity. The privacy choices of Internet users who do not want an ISP and/or their staff to see the telephone number they are calling from must be respected.
- EFA Calling Number Display and Privacy page.
- EFA's submissions, analyses, reports, etc. on the topic of CND.
Media reports and releases:
- See separate page on EFA's site for links to, and extracts from, media reports and releases concerning proposals to mandate Calling Number Display.